Location of Repository

Approximate Fingerprinting to Accelerate Pattern Matching

By Lukas Kencl and Gianluca Iannaccone

Abstract

Pattern matching and analysis over network data streams is increasingly becoming an essential primitive of network monitoring systems. It is a fundamental part of most intrusion detection systems, worm detecting algorithms and many other anomaly detection mechanisms. It is a processingintensive task, usually requiring to search for a large number of patterns simultaneously. We propose the technique of “approximate fingerprinting” to reduce the memory demands and significantly accelerate the pattern matching process. The method computes fingerprints of prefixes of the patterns and matches them against the input stream. It acts as a generic preprocessor to a standard pattern matching engine by “clearing ” a large fraction of the input that would not match any of the patterns. The main contribution is the “approximate ” characteristic of the fingerprint, which allows to slide the fingerprinting window through the packet at a faster rate, while maintaining a small memory footprint and low number of false positives. An improvement over a Bloom filter solution, a fingerprint can indicate which patterns are the candidate matches. We validate our technique by presenting the performance gain for the popular Snort intrusion detection system with the preprocessor in place

Topics: C.2.3 [Network Operations, Network monitoring, I.5.2 [Design Methodology, Classifier design and evaluation, C.2.0 [General, Security and protection General Terms Performance, Design, Measurement Keywords Pattern matching, intrusion detection, fingerprint, deep packet
Year: 2011
OAI identifier: oai:CiteSeerX.psu:10.1.1.182.3460
Provided by: CiteSeerX
Download PDF:
Sorry, we are unable to provide the full text but you may find it at the following location(s):
  • http://citeseerx.ist.psu.edu/v... (external link)
  • http://www2.berkeley.intel-res... (external link)
  • Suggested articles


    To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.